Cyber Incident Victim: KP Snacks
Date:
Jan 2022
Location:
United Kingdom
Summary
KP Snacks experienced a ransomware attack attributed to the Conti group, disrupting supply chains and causing delivery delays or cancellations to major retailers, with potential shortages projected for several weeks. The incident compromised sensitive data including employee records, financial documents, and confidential agreements, samples of which were posted on Conti’s leak site alongside threats to release additional proprietary information. Internal IT teams collaborated with third-party forensic experts to investigate and mitigate the attack, enacting the company’s cybersecurity response plan while maintaining communication with stakeholders. Conti, a ransomware-as-a-service operation linked to Russian cybercrime actors, typically infiltrates networks via malware like BazarLoader or TrickBot, targeting high-revenue organizations to encrypt files and extort payments. Operational impacts included manufacturing and shipping interruptions, though the company initiated recovery efforts to minimize product shortages.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On January 28, 2022, KP Snacks, a major British snack producer with brands including Hula Hoops, Skips, and KP Nuts, detected a ransomware incident affecting its IT systems. The company immediately activated its cybersecurity response plan, engaging a leading forensic IT firm and legal counsel to investigate. Internal IT teams collaborated with third-party experts to assess the breach, which encrypted sensitive files such as employee records, financial documents, birth certificates, and confidential agreements. The Conti ransomware group claimed responsibility, threatening to leak proprietary data unless KP Snacks met their demands within five days. Conti’s private leak page displayed samples of stolen data, including credit card statements, employee addresses, phone numbers, and spreadsheets. DarkFeed, a darknet intelligence provider, corroborated Conti’s involvement, warning of impending data leaks on the group’s public blog. KP Snacks notified retailers of supply chain disruptions via a letter, citing delays or cancellations in deliveries to major UK supermarkets. The company projected shortages could persist until the end of March, impacting manufacturing and shipping processes.
The attack disrupted KP Snacks’ operations, forcing the company to develop contingency plans to maintain product availability. Conti, a Russian-linked Ransomware-as-a-Service (RaaS) operation associated with the Wizard Spider cybercrime group, historically used BazarLoader or TrickBot malware to infiltrate networks. KP Snacks publicly acknowledged the incident, apologizing for disruptions while maintaining communication with employees, customers, and suppliers. The FBI, CISA, and NSA had previously issued advisories about Conti’s escalating activity, noting its attacks on high-profile targets like Ireland’s Health Service Executive, Nordic Choice hotels, and Indonesia’s central bank. Conti’s tactics included freezing systems and exfiltrating data to pressure victims into paying ransoms. KP Snacks did not disclose whether negotiations occurred or if a ransom was paid. Independent cybersecurity analysts highlighted broader ransomware trends, citing UK organizations’ average losses of £626,000 per incident and operational disruptions affecting revenue and customer retention. The incident underscored the tangible supply chain consequences of ransomware, following similar attacks on retailers like James Hall & Co, which temporarily closed over 300 stores in late 2021 due to a cyberattack.